473f745c3c
Add katello_satellite_priv_esc.rb
...
This module exploits a missing authorization vulnerability in the
"update_roles" action of "users" controller of Katello and Red Hat
Satellite (Katello 1.5.0-14 and earlier) by changing the specified
account to an administrator account.
2014-03-24 23:44:44 -03:00
0c3a535434
Land #3133 - LifeSize UVC Authenticated RCE via Ping
2014-03-24 21:16:10 -05:00
53b25c8c93
Fix header & author e-mail format
2014-03-24 21:15:27 -05:00
d2a9a26bc8
real fix for sinn3r bug
2014-03-24 18:40:48 -05:00
ec35f4b13f
some bugs for sinn3r
2014-03-24 18:17:50 -05:00
460a1f551c
Fix for R7-2014-05
2014-03-24 14:12:12 -05:00
cfdd64d5b1
Title, description grammar and spelling
2014-03-24 12:16:59 -05:00
cd9182c77f
Msftidy warning fix on Joomla module.
...
Pre-commit hooks people.
2014-03-24 12:03:12 -05:00
c7ba7e4d92
Land #3131 , @xistence's exploit for CVE-2014-1903
2014-03-24 08:48:06 -05:00
c3b753f92e
Make PHPFUNC advanced option
2014-03-24 08:47:31 -05:00
4f333d84c9
Clean up code
2014-03-24 08:15:54 -05:00
d6f397ab6d
whoops that isn't how you EDB
2014-03-22 11:48:41 -05:00
291692d6e0
Update lifesize_uvc_ping_rce.rb
2014-03-22 11:30:00 -05:00
67a3a7227b
Create lifesize_uvc_ping_rce.rb
2014-03-21 21:33:12 -05:00
312f117262
updates file read to close file more quickly
2014-03-21 14:53:15 -04:00
13f5c22536
Land #3129 - Fix 2782 with 2961 and stop stack-tracing download_exec
2014-03-21 11:36:59 -05:00
4b2a2d4dea
Improve NTP monlist auxiliary module
2014-03-21 16:39:53 +01:00
fbcd661504
removed snmp_enum_hp_laserjet from this pull request
2014-03-21 15:58:53 +01:00
c4f0d8e179
FreePBX config.php RCE CVE-2014-1903
2014-03-21 10:29:15 +07:00
aa26405c23
Cleanup an expression and avoid fail_with
2014-03-20 17:33:09 -04:00
b02337d8b6
Land #3123 - Horde Framework Unserialize PHP Code Execution
2014-03-20 12:32:14 -05:00
3d3681801a
Fix linux download_exec for #2961
...
Note! This module already seems pretty broken, in that it doesn't appear
to correctly locate curl or wget. Will open another bug on that.
[See RM #8777 ]
2014-03-20 12:09:38 -05:00
0c4b71c8bf
Land #3094 - Joomla weblinks-categories Unauth SQLI Arbitrary File Read
2014-03-20 12:08:18 -05:00
93ad818358
Fix header and e-mail format for author
2014-03-20 12:07:50 -05:00
a5afd929b4
Land #3120 , @wchen-r7's exploit for CVE-2014-0307
2014-03-20 11:16:40 -05:00
8cb7bc3cbe
Fix typo
2014-03-20 11:13:57 -05:00
74398c4b6e
Allow using a single URI and/or a list of URIs
2014-03-20 09:54:02 -04:00
4f1404eecc
reboot payload for mipsbe
2014-03-20 12:37:58 +01:00
2845f834c6
changed cookie retrieval to res.get_cookies
2014-03-20 16:39:26 +07:00
7bfb8e95e6
minor changes to seportal module
2014-03-20 13:44:39 +07:00
5ef49ff64b
SePortal 2.5 SQLi Remote Code Execution
2014-03-20 12:02:06 +07:00
a8d919feb0
use TARGET_URI if given, otherwise TARGET_URIS_FILE
2014-03-19 23:32:04 -05:00
c5158a3ccc
Update CVE
2014-03-19 22:13:23 -05:00
9b2cfb6c84
change default targeturi to something more universal
2014-03-19 21:03:50 -05:00
b52a535609
add official url
2014-03-19 20:41:32 -05:00
ab42cb1bff
better error handling for the user
2014-03-19 18:46:57 -05:00
b79920ba8f
Land #3089 , InvalidWordCount fix for smb_login
...
[FixRM #8730 ]
2014-03-19 16:12:56 -05:00
c1cbeff5f0
Land #3122 , lots of Meterpreter updates
...
This lands the binaries built from Meterpreter as of:
rapid7/meterpreter#80 , also known as
commit 5addac75741fadfff35f4f7839cee6fd69705455
as well as the functional changes in:
rapid7/metasploit-framework#2782
rapid7/metasploit-framework#2889
rapid7/metasploit-framework#3061
rapid7/metasploit-framework#3085
2014-03-19 15:35:49 -05:00
fe0b76e24e
Land #2994 - OWA 2013 support
2014-03-19 13:16:37 -05:00
d6faf20981
Make title more accurate
2014-03-19 12:43:34 -05:00
144b86fee3
Add reference
2014-03-19 12:17:53 -05:00
27d142b387
Solve conflict by keeping file
2014-03-19 12:15:05 -05:00
fb645b6692
Clean code
2014-03-19 12:06:20 -05:00
0a795ab602
Land #3106 , @xistence's exploit for Array Networks devices
2014-03-19 10:49:03 -05:00
0e27d75e60
Code clean up
2014-03-19 10:48:25 -05:00
2ef2f9b47c
use vars_get
2014-03-19 07:51:34 -07:00
920b2da720
Merge branch 'master' into joomla_sqli
2014-03-19 07:43:32 -07:00
d27264b402
Land #2782 , fix expand_path abuse
2014-03-19 08:41:28 -05:00
056ce5d097
removed file which did not belong in this pull request
2014-03-19 15:04:19 +07:00
2e76faa076
Add MS14-012 Internet Explorer Use-After-Free Exploit Module
...
Add MS14-012 IE UAF.
2014-03-18 17:55:56 -05:00
379c0efd5a
Update POP chain documentation
2014-03-18 16:29:30 -05:00
77c128fbc5
Fix disclosure date and add ref
2014-03-18 16:21:44 -05:00
b6e8bb62bb
Switch exploitation technique to use default available classes
2014-03-18 16:07:50 -05:00
dfd3a81566
Land #3111 , hash rockets shouldn't be in refs
2014-03-18 14:25:04 -05:00
38176ad67d
Land #3109 , @xistence's Loadbalancer.org Enterprise VA applicance exploit
2014-03-18 06:53:26 -05:00
ddd923793a
Do minor clean up
2014-03-18 06:52:50 -05:00
ad49df4301
Register RHOST
2014-03-18 06:17:41 -05:00
600338bd29
Land #3108 , @xistence's exploit for Quantum vmPRO shell-escape
2014-03-18 06:12:18 -05:00
f656e5fedb
Do minor clean up
2014-03-18 06:11:02 -05:00
f86fd8af5d
Delete debug print
2014-03-17 21:01:41 -05:00
3bdd906aae
Add module for CVE-2014-1691
2014-03-17 20:47:45 -05:00
8f2124f5da
Minor updates for release
...
Fixes some title/desc action.
Adds a print_status on the firefox module so it's not just silent.
Avoids the use of "puts" in the description b/c this freaks out msftidy
(it's a false positive but easily worked around).
2014-03-17 13:26:26 -05:00
c916b62f47
Removes hash rockets from references.
...
[SeeRM #8776 ]
2014-03-17 09:40:32 -05:00
8fdb5250d4
changes to smtp relay aux module
2014-03-17 15:09:29 +07:00
9bb4e5cfc3
Loadbalancer.org Enterprise VA SSH privkey exposure
2014-03-17 14:22:51 +07:00
c116697c70
Quantum vmPRO backdoor command
2014-03-17 14:19:27 +07:00
ef4a019b20
Quantum DXi V1000 SSH private key exposure
2014-03-17 14:15:00 +07:00
e261975c34
Array Networks vxAG and vAPV SSH key and privesc
2014-03-17 14:11:16 +07:00
1043d9d8b2
Array Networks vxAG and vAPV SSH key and privesc
2014-03-17 14:06:55 +07:00
0b6a890137
Fix missing require in reverse_powershell
...
When initializing the db:
/opt/metasploit-framework/modules/payloads/singles/cmd/windows/reverse_powershell.rb:34:in `initialize': uninitialized constant Msf::Handler::ReverseTcp (NameError)
from /opt/metasploit-framework/lib/msf/core/payload_set.rb:198:in `new'
from /opt/metasploit-framework/lib/msf/core/payload_set.rb:198:in `add_module'
from /opt/metasploit-framework/lib/msf/core/module_manager/loading.rb:72:in `on_module_load'
from /opt/metasploit-framework/lib/msf/core/modules/loader/base.rb:207:in `load_module'
from /opt/metasploit-framework/lib/msf/core/modules/loader/base.rb:271:in `block in load_modules'
from /opt/metasploit-framework/lib/msf/core/modules/loader/directory.rb:58:in `block (2 levels) in each_module_reference_name'
from /opt/metasploit-framework/lib/rex/file.rb:127:in `block in find'
from /opt/metasploit-framework/lib/rex/file.rb:126:in `catch'
from /opt/metasploit-framework/lib/rex/file.rb:126:in `find'
from /opt/metasploit-framework/lib/msf/core/modules/loader/directory.rb:45:in `block in each_module_reference_name'
from /opt/metasploit-framework/lib/msf/core/modules/loader/directory.rb:29:in `foreach'
from /opt/metasploit-framework/lib/msf/core/modules/loader/directory.rb:29:in `each_module_reference_name'
from /opt/metasploit-framework/lib/msf/core/modules/loader/base.rb:264:in `load_modules'
from /opt/metasploit-framework/lib/msf/core/module_manager/loading.rb:118:in `block in load_modules'
from /opt/metasploit-framework/lib/msf/core/module_manager/loading.rb:116:in `each'
from /opt/metasploit-framework/lib/msf/core/module_manager/loading.rb:116:in `load_modules'
from /opt/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:56:in `block in add_module_path'
from /opt/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:55:in `each'
from /opt/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:55:in `add_module_path'
from /opt/metasploit-framework/lib/msf/base/simple/framework/module_paths.rb:14:in `init_module_paths'
from /opt/metasploit-framework/lib/msf/ui/console/driver.rb:228:in `initialize'
from /opt/metasploit-framework/msfconsole:148:in `new'
from /opt/metasploit-framework/msfconsole:148:in `<main>'
2014-03-14 19:28:00 +00:00
da0c37cee2
Land #2684 , Meatballs PSExec refactor
2014-03-14 13:01:20 -05:00
a01dd48640
a bit better error message if injection works but no file
2014-03-13 13:38:43 -07:00
b0688e0fca
clarify LOAD_FILE perms in description
2014-03-13 13:11:27 -07:00
243fa4f56a
Land #2910 - MPlayer Lite M3U Buffer Overflow
2014-03-13 14:13:17 -05:00
e832be9eeb
Update description and change ranking
...
The exploit requires the targeted user to open the malicious in
specific ways.
2014-03-13 14:09:37 -05:00
6e37493471
Land #3091 - native shellcode payloads from a FF privileged js shell
2014-03-13 13:36:37 -05:00
8db5d854c2
typo, null terminator
2014-03-13 18:38:27 +01:00
952b50f8c1
Add priv escalation mixin to the firefox local exploit.
2014-03-13 11:49:44 -05:00
2734b89062
update normalize_uri calls
2014-03-13 06:55:15 -07:00
5aad8f2dc3
Land #3088 , SNMP timestamp elements fix
2014-03-13 02:22:14 -05:00
7540dd83eb
randomize markers
2014-03-12 20:11:55 -05:00
3fedafb530
whoops, extra char
2014-03-12 19:54:58 -05:00
aa00a5d550
check method
2014-03-12 19:47:39 -05:00
f39e784d19
mipsle execve payload
2014-03-12 21:08:40 +01:00
9cb1c1a726
whoops, typoed the markers
2014-03-12 10:58:34 -07:00
6636d43dc5
initial module
2014-03-12 10:46:56 -07:00
206660ddde
Recreate the intent of cfebdae from @parzamendi-r7
...
The idea was to rescue on a NoReply instead of just fail, and was part
of a fix in #2656 .
[SeeRM #8730 ]
2014-03-11 14:30:01 -05:00
f7af9780dc
Rescue InvalidWordCount error
...
This is a cherry-pick of commit ea86da2 from PR #2656
2014-03-11 14:17:36 -05:00
517f264000
Add last chunk of fixes
2014-03-11 12:46:44 -05:00
f51ee2d6b4
snmp_enum: Treat missing timestamp elements as 0
...
Timestamps don't always have all the elements we expect. This treats
them as zeroes to ensure that we don't raise silly exceptions in that
case.
2014-03-11 12:44:07 -05:00
25ebb05093
Add next chunk of fixes
...
Going roughly a third at a time.
2014-03-11 12:23:59 -05:00
170608e97b
Fix first chunk of msftidy "bad char" errors
...
There needs to be a better way to go about preventing/fixing these.
2014-03-11 11:18:54 -05:00
3ea3968d88
Merge branch 'upstream/master' into stop_abusing_expand_path
...
Conflicts:
lib/msf/core/post/windows/shadowcopy.rb
modules/exploits/windows/local/bypassuac.rb
modules/post/windows/gather/wmic_command.rb
modules/post/windows/manage/persistence.rb
2014-03-11 23:13:39 +10:00
46c11ea2eb
Small fixes to m-1-k-3's mipsle reboot shellcode.
2014-03-10 17:17:23 -05:00
7da54eb9cf
Merge branch 'landing-3041' into upstream-master
...
Lands PR #3041 , @m-1-k-3's reboot shellcode.
2014-03-10 17:11:06 -05:00
2086224a4c
Minor fixes. Includes a test module.
2014-03-10 14:49:45 -05:00
26be236896
Pass MSFTidy please
2014-03-10 14:45:56 -05:00
8cfa5679f2
More nick instead of name
2014-03-10 16:12:44 +01:00
bc8590dbb9
Change DoS module location
2014-03-10 16:12:20 +01:00
1061036cb9
Use nick instead of name
2014-03-10 16:11:58 +01:00
5485028501
Add 3 Yokogawa SCADA vulns
...
These represent our part for public disclosure of the issues listed
here:
http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf
Yokogawa is calling these YSAR-14-0001E, and I think that they map
thusly:
YSAR-14-0001E Vulnerability 1 :: R7-2013-19.1
YSAR-14-0001E Vulnerability 2 :: R7-2013-19.3
YSAR-14-0001E Vulnerability 3 :: R7-2013-19.4
@jvazquez-r7 if you could confirm, I'd be delighted to land these and
get your disclosure blog post published at:
https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities
Thanks for all the work on these!
2014-03-10 09:33:54 -05:00
e32ff7c775
Land #3077 - Allow TFTP server to take a host/port argument
2014-03-08 00:58:52 -06:00
151e2287b8
OptPath, not OptString.
2014-03-07 10:52:45 -06:00
5cf1f0ce4d
Since dirs are required, server will send/recv
...
This does change some of the meaning of the required-ness of the
directories. Before, if you wanted to serve files, but not receive any,
you would just fail to set a OUTPUTPATH.
Now, since both are required, users are required to both send and
recieve. This seems okay, you can always just set two different
locations and point the one you don't want at /dev/null or something.
2014-03-07 10:49:11 -06:00
37fa4a73a1
Make the path options required and use /tmp
...
Otherwise it's impossible to run this module without setting the options
which were not otherwise validated anyway.
2014-03-07 10:41:18 -06:00
c76a1ab9f4
Land #3065 - Safari User-Assisted Download & Run Attack
2014-03-07 10:29:56 -06:00
ebee365fce
Land #2742 , report_vuln for MongoDB no auth
2014-03-06 19:34:45 -05:00
84f280d74f
Use a more descriptive MongoDB vulnerability title
2014-03-06 19:20:52 -05:00
8a0531650c
Allow TFTP server to take a host/port argument
...
Otherwise you will tend to listen on your default ipv6 'any' address and
bound to udp6 port 69, assuming you haven't bothered to disable your
automatically-enabled ipv6 stack.
This is almost never correct.
2014-03-06 16:13:20 -06:00
9638bc7061
Allow a custom .app bundle.
...
* adds a method to Rex::Zip::Archive to allow recursive packing
2014-03-06 16:11:30 -06:00
5abb442757
Adds more descriptive explanation of 10.8+ settings.
2014-03-06 15:15:27 -06:00
43d315abd5
Hardcode the platform in the safari exploit.
2014-03-06 13:04:47 -06:00
df2bdad4f9
Include 'msf/core/exploit/powershell'
...
Prevent:
```
[-] /pentest/exploit/metasploit-framework/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb: NameError uninitialized constant Msf::Exploit::Powershell
```
2014-03-06 12:57:43 +11:00
38a2e6e436
Minor fixes.
2014-03-05 19:03:54 -06:00
dca807abe9
Tweaks for BES.
2014-03-05 19:00:15 -06:00
12cf5a5138
Add BES, change extra_plist -> plist_extra.
2014-03-05 18:51:42 -06:00
9d0743ae85
Land #3030 - SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write
2014-03-05 16:34:54 -06:00
1ea35887db
Add OSVDB reference
2014-03-06 01:40:15 +10:30
4e9350a82b
Add module for ZDI-14-008
2014-03-05 03:25:13 -06:00
cd3c2f9979
Move osx-app format to EXE.
2014-03-04 22:54:00 -06:00
a1aef92652
Land #2431 - In-memory bypass uac
2014-03-05 11:15:54 +10:00
7cb6e7e261
Land #3057 - MantisBT Admin SQL Injection Arbitrary File Read
2014-03-04 17:52:29 -06:00
f0e97207b7
Fix email format
2014-03-04 17:51:24 -06:00
32c27f6be0
Tweak timeouts.
2014-03-04 17:16:23 -06:00
40047f01d3
Adds Safari User Assisted download launch module.
2014-03-04 17:02:51 -06:00
caaa419ef8
Land #3054 - Fix crash in osx/x64/exec on 10.9 Mavericks
2014-03-04 15:24:02 -06:00
c86764d414
update default password to root
2014-03-04 11:55:30 -08:00
2b06791ea6
updates regarding PR comments
2014-03-04 10:08:31 -08:00
e30238fe0d
Land #3062 , unused arg fix for vmware_mount
2014-03-04 11:37:41 -06:00
68205fa43c
Actually use the argument
2014-03-04 11:30:42 -06:00
f8310b86d1
Land #3059 - ALLPlayer M3U Buffer Overfloww
2014-03-04 11:29:52 -06:00
db76962b4a
Land #2764 , WMIC Post Mixin changes
...
lands Meatballs WMIC changes
2014-03-04 10:21:46 -06:00
a3523bdcb9
Update mantisbt_admin_sqli.rb
...
remove extra new line and fix author line
2014-03-04 08:44:53 -06:00
f0868c35bf
Land #3050 - Fix tained perl payloads
2014-03-04 10:05:47 +10:00
408fedef93
Add module for OSVDB-98283
2014-03-04 00:51:01 +01:00
32d83887d3
Merge remote-tracking branch 'upstream/master' into wmic_post
2014-03-03 21:56:31 +00:00
98b59c4103
update desc
2014-03-03 12:40:58 -08:00
c5d1071456
add mantisbt aux module
2014-03-03 12:36:38 -08:00
de6be50d64
Minor cleanup and finger-wagging about a for loop
2014-03-03 14:12:22 -06:00
6a02a2e3b3
NULL out envp pointer before execve call.
...
This was causing a crash on 10.9.
2014-03-03 08:56:52 -06:00
a005d69b16
Fix $PATH issues. Add FileDropper functionality
2014-03-02 20:43:17 +02:00
8c4b663643
Fix payloads to bypass Perl's Taint mode.
2014-03-02 18:39:05 +02:00
e6c1dd3f9e
Switch post module to fixed exploit module.
2014-03-02 17:42:48 +02:00
1d9e788649
Switch post module to fixed exploit module.
2014-03-02 17:24:22 +02:00
f008c77f26
Write payload to startup for Vista+
2014-03-02 18:10:10 +10:30
2870c89b78
Switch exploit module with post module.
2014-03-01 13:49:42 +02:00
17272acb27
Fix module code per recommendations
2014-03-01 00:53:24 +02:00
63751c1d1a
Small msftidies
2014-02-28 22:18:59 +00:00
15345da9d8
remove the wget module, remove the cmd stuff, testing bind stuff ahead
2014-02-28 22:44:26 +01:00
42a730745e
Land #2418 , Use meterpreter hostname resolution
2014-02-28 14:45:39 -06:00
ac446d3b3f
Land #3043 - randomization for Rex::Zip::Jar and java_signed_applet
2014-02-28 14:10:55 -06:00
e99e668a12
Merge branch 'master' of github.com:rapid7/metasploit-framework
2014-02-28 10:12:03 -06:00
2b5e4bea2b
Landing Pull Request 3003
2014-02-28 10:10:12 -06:00
fd1586ee6a
Land #2515 , plaintext creds fix for John
...
[FixRM #8481 ]
2014-02-28 09:53:47 -06:00
12e4e0e36d
Return whether result is nil or not.
2014-02-28 10:17:37 -05:00
dfa91310c2
Support checking a single URI for ntlm information.
2014-02-28 08:47:29 -05:00
7117d50fa4
Land #3028 - bypassuac revamp
2014-02-28 09:12:02 +10:00
fd4457fce8
Add AIX 6.1/7.1 ibstat $PATH Local Privilege Escalation
2014-02-27 23:56:49 +02:00
1a053909dc
Land #3044 , chargen_probe reported service fix
2014-02-27 14:33:06 -06:00
f531d61255
Land #3036 - Total Video Player buffer overflow
2014-02-27 14:28:53 -06:00
7625dc4880
Fix syntax error due to the missing ,
2014-02-27 14:25:52 -06:00
49ded452a9
Add OSVDB reference
2014-02-27 14:22:56 -06:00
e72250f08f
Rename Total Video Player module
...
The filename shouldn't include the version, because the exploit should
be able to target multiple versions if it has to.
2014-02-27 14:20:26 -06:00
93ec12af43
Land #3035 - GE Proficy CIMPLICITY gefebt.exe Remote Code Execution
2014-02-27 14:13:28 -06:00
b952b103bd
cleanup tior and .tmp files
...
bypassuac module now also cleans
the tior.exe and all the .tmp files so we have a
clean environemnt afterwards
2014-02-27 13:18:34 -06:00
f66709b5bb
make bypassuac module clean itself up
...
since the IO redirection hangs our original process
we have the moudle wait for the session then kills
the spawning process and delete the exe we dropped
2014-02-27 12:54:40 -06:00
8be33f42fe
Define service as udp
2014-02-27 12:53:29 -06:00
6c490af75e
Add randomization to Rex::Zip::Jar and java_signed_applet
2014-02-27 12:38:52 -06:00
a8e0c3c255
remove copypasta mistake
2014-02-27 10:05:53 -06:00
63f74bddae
2° update total_video_player_131_ini_bof
2014-02-27 16:41:35 +01:00
ea5fe9ec0a
Updated to use get_cookie
2014-02-27 08:52:54 -06:00
9e52a10f2d
Set SSL to default to true and removed SSL from register_options. Updated Author to include full name
2014-02-26 20:49:03 -06:00
d6b28e3b74
mipsel reboot payload
2014-02-26 20:34:35 +01:00
96b611104e
cleanup methods in bypassuac module
...
apply the same sort of method cleanup as in
Meatballs injection based module.
2014-02-26 11:00:55 -06:00
bfdefdb338
Land #3023 , @m-1-k-3's module for Linksys WRT120N bof reset password
2014-02-26 09:36:14 -06:00
6ba26bf743
Use normalize_uri
2014-02-26 09:35:42 -06:00
582372ec3e
Do minor cleanup
2014-02-26 09:32:11 -06:00
0531abb691
Land #3026 , @ribeirux DoS module for CVE-2014-0050
2014-02-26 08:53:55 -06:00
449d0d63d1
Do small clean up
2014-02-26 08:52:51 -06:00
b79197b8ab
feedback included, cleanup, login check
2014-02-26 13:44:36 +01:00
b81642d8ad
Update total_video_player_131_ini_bof
2014-02-26 11:37:04 +01:00
a7cacec0c3
Add module for EDB 29799
2014-02-25 23:07:28 +01:00
96ffb1db47
Delete extra comma
2014-02-25 15:29:46 -06:00
cb18639b66
Add small fixes and clean up
2014-02-25 15:25:01 -06:00
1d4b2ea60d
Add module for ZDI-14-015
2014-02-25 15:07:09 -06:00
63bbe7bef2
Land #3034 , 302 redirect for http_basic
2014-02-25 13:54:58 -06:00
4cc91095de
Fix minor formatting issues
2014-02-25 13:48:37 -06:00
a45c8c2b4a
Land #3029 , @xistence Symantec endpoint exploit
2014-02-25 07:59:35 -06:00
bfe0fdb776
Move module
2014-02-25 07:58:00 -06:00
ab167baf56
Added randomness instead of payload and xxe keywords
2014-02-25 15:23:10 +07:00
4908d80d6c
Clean up module
2014-02-24 16:00:54 -06:00
6783e31c67
Used the builtin send_redirect method in Msf::Exploit::Remote::HttpServer instead of creating a redirect inline
2014-02-24 15:59:49 -06:00
ead7cbc692
Author and URI fixed
2014-02-24 22:20:34 +01:00
f1e71b709c
Added 301 Redirect option to Basic Auth module
2014-02-24 14:59:20 -06:00
6f398f374e
Land #3032 , inside_workspace_boundary? typo fix
2014-02-24 14:55:09 -06:00
d2945b55c1
Fix typo
...
inside_workspace_boundary() -> inside_workspace_boundary?()
2014-02-24 14:46:08 -06:00
a50b4e88be
Fix msftidy warning: Suspect capitalization in module title: 'encoder'
2014-02-24 11:25:46 -06:00
2935f4f562
CMD target
2014-02-24 18:12:23 +01:00
c981bbeab9
Land #3011 , @wchen-r7's fix for Dexter exploit
2014-02-24 10:53:10 -06:00
b2d4048f50
Land #3027 , @OJ's fix for ultraminihttp_bof
2014-02-24 10:50:08 -06:00
c9f0885c54
Apply @jlee-r7's feedback
2014-02-24 10:49:13 -06:00
5cdd9a2ff3
Land #2995 - sqlmap minor cleanup, description & file tests
2014-02-24 10:39:01 -06:00
a29c6cd2b4
Add SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write
2014-02-25 02:57:25 +10:30
5485759353
Added Symantec Endpoint Protection Manager RCE
2014-02-24 15:04:37 +07:00
8e3f70851d
Added Symantec Endpoint Protection Manager RCE
2014-02-24 15:01:13 +07:00
0126e3fcc8
cleanup
2014-02-23 21:17:32 +01:00
dbbd080fc1
a first try of the cmd stager, wget in a seperated module included
2014-02-23 20:59:17 +01:00
fdd0d91817
Updated the Ultra Minit HTTP bof exploit
...
After exploiting this application manually I decided to make this
an MSF exploit, only to find that other people had beaten me to it.
However, the existing exploit was broken in a few ways, and this
commit makes those problems go away. They include:
* Correct use of alpha chars in the buffer leading up to the payload
which results in bad chars being avoided. Bad chars muck with the
offsets because they get expanded.
* Adjustment of the payload so that it runs in another thread instead
of in the thread of the request handler. This prevents the session
from being killed after the hard-coded 60-second timeout that is
baked into the application.
* The handler thread terminates itself so that the process doesn't
crash.
* Extra targets were added based on the machines I had access to.
2014-02-23 21:23:41 +10:00
2f7f344be3
Copy original sleep
2014-02-23 04:53:48 +00:00
6127ff92ce
Fix race condition
...
Wait for Sysprep to ExitProcess before cleaning up the DLLs...
2014-03-03 23:41:25 +00:00
d396be963a
Use new cmd_exec_get_pid
2014-02-28 20:53:13 +00:00
2a6258be15
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
external/source/exploits/make.bat
2014-02-28 20:26:24 +00:00
e0fa1d532c
Dont think this works on vista/8
2014-02-26 23:14:17 +00:00
5a7730b495
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
2014-02-25 23:15:47 +00:00
8bdb22aeb9
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
lib/msf/core/post/windows.rb
2014-02-25 22:15:05 +00:00
1f08ad48a4
Fix payload_path method
2014-02-25 22:11:23 +00:00
6687ef80ee
Further bypassuac tidies
...
Dont rescue Exception
Use ReflectiveDLLInjection post mixin
Dont keep retrieving %TEMP% path
2014-02-25 22:03:01 +00:00
23381ea2cb
code tidying
...
break big exploit method up into
smaller methods for better maintainability
2014-02-25 14:07:48 -06:00
8f7f1d0497
Add module for CVE-2014-0050
2014-02-22 14:56:59 +01:00
0dfa53840a
Add @Meatballs1 to authors
...
Add @Meatballs1 to author list, awesome changes and fixes to the code (almost complete rewrite)
2014-02-22 12:24:56 +02:00
ec8e1e3d6f
small fixes
2014-02-21 21:59:45 +01:00
1384150b7a
make msftidy happy
2014-02-21 21:56:46 +01:00
c77fc034da
linksys wrt120 admin reset exploit
2014-02-21 21:53:56 +01:00
998fa06912
Land #2998 , @bit4bit's fix for the vtigercrm exploit
2014-02-20 08:36:05 -06:00
0b27cd13e8
Make module work
2014-02-20 08:35:37 -06:00
e75a0ea948
Fix typo
2014-02-19 15:21:02 -06:00
aa07065f67
Land #2959 , reverse powershell payload by @Meatballs1
2014-02-19 15:14:54 -06:00
9fad43da08
Add license information
2014-02-19 15:11:12 -06:00
ed2ac95396
Always replace \ with / for Dexter exploit
...
Fix for the following:
48199fec27 (commitcomment-5419010)
2014-02-19 09:24:07 -06:00
50fb9b247e
Restructure some of the exploit methods.
2014-02-19 02:31:22 -06:00
2e7a56b4a7
Land #3001 - SUB Encoder
2014-02-19 01:54:01 -06:00
4ca4d82d89
Land #2939 , @Meatballs1 exploit for Wikimedia RCE and a lot more...
2014-02-18 17:48:02 -06:00
ff4e91bb1b
Check domain return value
2014-02-18 23:34:17 +00:00
e4aedfad43
Fixup netapi call
2014-02-18 23:30:29 +00:00
0480ad16aa
No common
2014-02-18 23:09:35 +00:00
c06f86cc2b
Updates
2014-02-18 20:31:31 +00:00
e7c3b94e60
Land #3006 , @todb-r7's pre-release fixes
2014-02-18 14:15:12 -06:00
721e153c7f
Land #3005 to the fixup-release branch
...
Prefer the intel on #3005 over my own made up 0day guess. Thanks @wvu!
Conflicts:
modules/exploits/windows/fileformat/audiotran_pls_1424.rb
2014-02-18 14:08:54 -06:00
6f988209ab
Merge remote-tracking branch 'upstream/master' into enum_domain_users_update
2014-02-18 20:02:39 +00:00
a863d0a526
Pre-release fixes, including msftidy errors.
2014-02-18 14:02:37 -06:00
3a8de6e124
replaced rhost by peer
2014-02-18 21:01:50 +01:00
28dc742bcf
Fix references and disclosure date
2014-02-18 13:59:58 -06:00
4f9ab0b99f
Land #2903 , @Meatballs1 SPN gather post module
2014-02-18 13:53:32 -06:00
4903b05214
Fix tabs
2014-02-18 13:51:40 -06:00
c216357815
Land #3000 , audiotran_pls_1424 SEH exploit
2014-02-18 13:27:14 -06:00
66e2148197
linksys themoon command execution exploit
2014-02-18 19:43:47 +01:00
4dda7e6bad
linksys themoon command execution exploit
2014-02-18 19:42:50 +01:00
8a68323cf0
Dont keep checking domain
2014-02-18 17:52:34 +00:00
1bc94b8a9d
Merge for retab
2014-02-17 19:19:47 -06:00
e290529841
Sadly this url is dead
2014-02-17 22:07:19 +00:00
Ramon de C Valle
sinn3r
Brandon Perry
Brandon Turner
Tod Beardsley
jvazquez-r7
Joshua Smith
Matteo Cantoni
xistence
Spencer McIntyre
Michael Messner
William Vu
Brandon Perry
Daniel Miller
David Maloney
Joe Vennix
sho-luv
James Lee
OJ
Brendan Coles
sgabe
Meatballs
Sagi Shahar
jgor
Fr330wn4g3
Peter Arzamendi
kn0
ribeirux
staaldraad